http://coldfusion.com logo
Join Slack
Powered by
From the article: "More specifically, if you look ...
# cfml-general
s
From the article: "More specifically, if you look in your access logs for any requests having been made with a querystring including the phrase: _cfclient (an underscore before cfclient), that will either be there for legitimate use of the cfclient feature (which I've still not seen in the wild, in all the servers have helped people in mitigating this, so far), or it would/could be an illegitimate/illicit/hacky use.
z
please use threads
a
That looks like it's trying the exploit. There is no reason for _cfclient to be in the QueryString (unless maybe if you actually built something specifically with <cfclient>)
s
No i don't have anything built specifically for cfclient. Attacker was able to upload a file called Comments.cfm and then run requests like this to modify files: Comment.cfm fuseaction=edit&path=D:\home\xxxxxxxx.com\xxx\xxx&h=&file=footer.cfm
See the hidden code placed on this file that was uploaded and included in all requests. <cfset pathdata = ToString(ToBinary('StringHereThatReferencesZeroByteJPGWithURL'))/><cffile action="append" file="#pathdata#" output = "xxxxxxx">
I found the same breach on 2 sites hosted with Hostek (on different plans) around the same time. Anyone using Hostek shared plans, PLEASE CHECK YOUR CODE JUST TO BE SAFE.
m
More then checking your code please make sure your servers are patched and not ignored. For all software, it is a pain but the threats are real... it is truly a war we are fighting and we are most definitely out gunned so be on the defense at all times.
b
@Sanch To be clear, Hostek has not applied Adobe's latest security updates?
If so, that's a rather bad look
Especially if it led to your site being compromised
s
It's a shared plan so I don't have admin access. I'm not 100% sure but I think maybe Hostek applied the security updates late and that gave attackers time to compromise sites. I noticed the _cfclient requests in the log files started 2023-04-11. Adobe published this security update on March 14, 2023.
a
writeoutput(server.coldfusion.productversion)
will tell you what patch it is currently using. (or <cfoutput>#server.coldfusion.productversion#</cfoutput> - so used to using cfscript!)
b
I recommend a tool like @foundeo’s fixinator which actually scans your source code for common hacks like that.
👍 3
You may not be able to run that yourself on shared hosting, but hostek probably should
a
We are explicitly blocking any request with 
cfclient
in the query string (can be done at webserver level or CF level or with something like FuseGuard)
3
s
@aliaspooryorik it printed: 2018,0,16,330130 Is there any way to see what the version was on April 11?
a
I don't think so - not without access to the server logs.
BTW: ColdFusion 2018 is EOL (so not supported at all) on the 13th of July 2023. So they need to sort that out ASAP.
f
if you use hackmycf it would have a log of that… but without that you probably don’t have permission to see - you can ask hostek support though, they should be able to check
s
I just sent a message to Hostek support to see if they will tell me when the patches were installed. Thanks for all the insight.
a
Did they get back to you?
s
From Hostek: We had Update 16 installed on March 26th for this server.
@hemi345 pointed out that the log files i shared with the _cfclient call returned 404. There were a bunch more and they all had 404 or 403.
b
@Sanch, the linesof log you have shared here pertain to ckeditor. Your server might perhaps have been a victime of the exploit CVE-2018-15961.
s
@bkbk Oh boy. Thanks
2 Views
Open in Slack
PreviousNext
Powered by